Will Drewry of the Google Security Team reported a problem in regular
expressions code use by PostreSQL which results in a non-terminating infinite
nondeterministic finite automata optimization. These loops remain
even after the client disconnects and can be used to hog CPU and
connections to the database until a full-fledged denial of service
Note that these same looping behaviors have been reproduced in Tcl. Not sure if that should get its own
CVE or not.
If it's same code used in multiple products / projects (usually taken from one
project to another), single CVE id is usually used.
Public now, lifting embargo:
TCL fixed in 8.5.0, patch:
postgresql-8.2.6-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
postgresql-8.2.6-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Application Stack:
Red Hat Enterprise Linux:
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2013:0122 https://rhn.redhat.com/errata/RHSA-2013-0122.html